I am in sunny Las Vegas this week at Interop and overall the show has been positive. I am surprised but very pleased by the attention and focus around virtualization this year. I just participated in a panel discussion about virtualization security that went very well. Anne Skamarock of Focus Consulting did a great job moderating the panel and asking excellent questions that will certainly help end users get a better grasp of virtualization security. In addition to me, the other speakers that participated in the panel were Charu Chaubal, Senior Architect, Technical Marketing at VMWare, Chris Orr, Sr. Systems Engineer/Business Development at Tripwire, Michael Berman, CTO of Catbird. All panelists brought different perspectives to various aspects of virtualization security and compliance.
The discussion focused around the following topics: the security level of the virtual infrastructure versus the physical infrastructure, Hypervisor security threats, audit and compliance in the virtual environment, and VMware’s new vSphere 4 VMsafe solution.
Charu Chaubal did a great job explaining VMware’s VMsafe technology. VMware VMsafe is a new security technology for virtualized environments that can help to protect your virtual infrastructure in ways previously not possible with physical machines. VMsafe provides a unique capability for virtualized environments through an application program interface (API)-sharing program that enables select partners to develop security products for VMware environments.
Reflex’s new release of the Virtualization Management Center uses the VMsafe API to control and enforce policies in the virtual environment. The VMsafe APIs enable Reflex’s new vTrust technology providing customers the ability to enforce strong security, tighter policy and control, better isolation and segmentation, enhanced scalability and more efficient management. I am very pleased with the VMsafe technology and the way that it enables partners like Reflex Systems to deliver state of the art policy management and enforcement capabilities for virtual environments.
The following are some of the questions that were discussed on the panel:
1. With the changes to the infrastructure to add the virtualization layer and pull some of the functionality into the physical server, is a virtual machine more or less secure than a physical machine?
2. What are the major threats to security when moving from “P to V” and how can you protect yourself against those threats?
3. Companies have been doing physical audits of their infrastructure for years. Do physical security audits and virtual security audits interrelate? If so, how? If not, why not?
4. Can I create my DMZ in one or more virtual machines? If so, what is the best practice for securing my virtual DMZ?
5. Charu, would you please explain the VMsafe initiative? And would each of you discuss how VMsafe affects your solutions?
6. Are there any cross industry standards that talk about virtual security best practices not only for VMware but also for Hyper-V and XenServer?
7. What about Regulatory Compliance? With virtual machines, there is no longer strict physical separation of applications and data. In fact, data for different applications often travel through the same I/O card. Can you run healthcare applications on virtual machines and still meet HIPAA regulations? What do you need to be aware of when mixing virtualization and compliance?
Hezi Moore, Reflex Systems